Highlight

Expert → Senior Frontend Security

Deep Dive into Cross-Site Request Forgery (CSRF) Protection

In today’s interconnected world, web applications are constantly exchanging sensitive data — and attackers are always looking for ways to exploit that trust. One of the more insidious threats is Cross-Site Request Forgery (CSRF). Despite its simplicity, a successful CSRF attack can have devastating consequences for both users and organizations.

Let’s dive deep into what CSRF is, how it works, and how we can protect against it.

What is Cross-Site Request Forgery (CSRF)?

CSRF is a type of attack that tricks a user into performing actions on a web application where they are already authenticated, without their consent.
Because the request comes from the user’s browser — which has valid credentials (like cookies or sessions) — the server believes it’s a legitimate action.

Example Scenario:
Imagine you are logged into your online banking site. If an attacker tricks you into clicking a malicious link while you’re still logged in, they could transfer money out of your account without your knowledge.

How CSRF Works

  1. User logs in to a trusted website and gets authenticated (via session cookies).
  2. Without logging out, the user visits a malicious website or clicks a crafted link.
  3. The malicious site sends a forged request to the trusted site using the user’s session credentials.
  4. The trusted site processes the request because it seems valid, performing actions on behalf of the attacker.

Since browsers automatically include cookies in requests, the application cannot distinguish between legitimate and forged requests unless proper protection is in place.

Common Targets for CSRF Attacks

  • Changing account settings (email, password)
  • Making transactions (banking, shopping)
  • Posting messages or data
  • Deleting accounts

CSRF vs XSS: A Quick Clarification

  • XSS is about injecting malicious code into a site to run in the user’s browser.
  • CSRF is about tricking a user’s browser into sending a request the user did not intend to send.

How to Protect Against CSRF

1. CSRF Tokens

The most common defense mechanism. Here’s how it works:

  • The server generates a unique, unpredictable token and sends it to the client.
  • The client must submit this token with every state-changing request (POST, PUT, DELETE).
  • If the server doesn’t receive a valid token, it rejects the request.

Important:
Tokens should be:

  • Unique per session (or even per request)
  • Tied to the user’s session
  • Random and hard to guess

Example:

htmlCopyEdit<form action="/transfer" method="POST">
  <input type="hidden" name="csrf_token" value="randomgeneratedtoken12345">
  <input type="text" name="amount" />
  <button type="submit">Transfer</button>
</form>

2. SameSite Cookie Attribute

Modern browsers support the SameSite cookie attribute, which restricts cookies to first-party contexts.

  • SameSite=Strict: Cookies are sent only with same-site requests.
  • SameSite=Lax: Cookies are sent with same-site requests and some top-level navigation.
  • SameSite=None; Secure: Cookies are sent in cross-site contexts but must be secured via HTTPS.

By setting SameSite on authentication cookies, you significantly reduce CSRF risk.

Example:

vbnetCopyEditSet-Cookie: session_id=xyz; SameSite=Strict; Secure

3. Double Submit Cookies

Another strategy involves sending the CSRF token both:

  • As a cookie
  • As a request parameter

The server checks if both match.

4. Checking Referer and Origin Headers

In some cases, you can validate the Referer or Origin headers to ensure requests are coming from trusted domains. However, these headers can be unreliable and should not be the only line of defense.

5. User Interaction Verification

For highly sensitive actions (like transferring money), ask users for extra interaction — e.g., re-entering a password or solving a CAPTCHA — to ensure the action is intentional.

Best Practices for Developers

  • Always use POST, PUT, or DELETE for actions that change server state. Never use GET for state-changing operations.
  • Implement CSRF protection libraries provided by your framework (Django, Laravel, Spring, etc.).
  • Keep authentication cookies short-lived and rotate session tokens after login/logout.
  • Educate users about the importance of logging out from sensitive applications when done.

Final Thoughts

Cross-Site Request Forgery exploits the implicit trust between users and web applications.
The good news? Defending against CSRF is very doable if you understand the problem and apply layered protections like CSRF tokens, SameSite cookies, and smart application design.

Security should not be an afterthought — it should be baked into every layer of your application.

Share this content:
Toni Naumoski

Hi, my name is Toni Naumoski, and I’m a Senior Frontend Developer with a passion for blending code and design. With years of experience as a Frontend Developer, Web Designer, and Creative Technologist, I specialize in crafting unique, responsive, and detail-oriented websites and web applications that stand out. I bring deep expertise in HTML, CSS, and JavaScript—working fluently with modern frameworks like React, Angular, and Vue, as well as animation libraries like GSAP. My creative side thrives in Photoshop and Figma, and I enjoy extending functionality using tools like Express.js and ChatGPT. My work is guided by high integrity, strong communication, a positive attitude, and a commitment to being a reliable collaborator. I take pride in delivering high-quality digital experiences that are both technically solid and visually compelling.

view all posts

Related Posts

You May Have Missed